Data Broker Discloses A Major Breach Of App User Data

Uploaded on 2025-01-20 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

A subsidiary of a leading US location data broker, Unacast, has informed the Norwegian national Data Protection Authority, Datatilsynet, that it has been as breached is a severe incident. 

According to reports, the hack might have resulted in the theft of precise location data for millions of smartphone users. 

The subsidiary, named Gravy Analytics, told Datatilsynet that a  hacker accessed its Amazon Web Services (AWS) cloud storage environment. In its incident  report, Datatilsynet says that the breach involved the theft of information from a Gravy Analytics web server using a "misappropriated" key.  

While the breach report contains only a few details of the incident, hackers have claimed on a Russian cyber crime forum to have stolen a vast amount of data.  “The unauthorised person obtained some files, but the contents of those files and whether they contain personal data remains under investigation,” the breach report says.  If personal data was obtained it is ‘likely associated with users of third-party services that supply this data to Gravy Analytics,’ Datatilsynet's  report says.  

The hacked data appears to have originated in thousands of apps that Gravy Analytics drew data from, including Tinder, Grindr, Candy Crush and several religious and pregnancy tracking apps. A preliminary investigation showed that some of the stolen files "could contain personal data."

Unacast also owns Venntel, a data broker that also provides the US government with location data. In December 2024 the Federal Trade Commission (FTC) ruled that Gravy Analytics and Venntel violated the FTC Act by unfairly selling non-anonymised consumer location data. The FTC also alleged the firms used that data without obtaining “verifiable user consent for commercial and government uses.”  

Gravy Analytics apparently continued to gather and use consumers’ location data even after realising it did not give “informed consent” for the collection, the FTC said.  

The FTC order is notable because it sets new limits on law enforcement usage of the companies’ location data for investigative purposes. Law enforcement and intelligence agencies have acknowledged that they obtain data from brokers that historically would only have been available with a warrant. 

404Media   |    Datatilsynet   |    NRK   |  Record   |      

Image: Ideogram

You Might Also Read:  

A Guide to Understanding Market-Leading Data Storage Solutions:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« EU Wants To Strengthen Cyber Defense In Healthcare  
Remote Deletion Of Malware Enforced On Thousands Of Computers  »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Ground Labs

Ground Labs

Ground Labs is a security software company dedicated to making sensitive data discovery products that help organisations prevent sensitive data loss.

PhishLabs

PhishLabs

PhishLabs provides 24/7 services that help organizations protect against the cyberattacks targeting their employees, their customers and their brands.

Dcoya

Dcoya

Dcoya's complete security awareness training program gives you out-of-the-box compliance with PCI-DSS, HIPAA, SOX and ISO regulations.

Wireless Logic

Wireless Logic

Wireless Logic delivers a range of secure and resilient value-added M2M/IoT managed services that empower remote devices to communicate cost-effectively, two ways.

Cyberlitica

Cyberlitica

Cyberlitica (formerly iPhish) provides a Workforce Threat Intelligence application that significantly augments companies’ cyber threat prevention efforts.

Computest

Computest

Computest security testing services include Mobile app security, Vulnerability assessments, Attack & penetration testing, Security awareness training, Network security assessments.

Hold Security

Hold Security

Hold Security works with companies of all sizes to provide unparalleled Threat Intelligence services that actually make a difference.

ISARR

ISARR

The ISARR software platform - your bespoke Risk, Resilience & Security Management solution. Simple, cost effective and adaptable, now and into the future.

ANSEC IA

ANSEC IA

ANSEC is a consultancy practice providing independent Information Assurance and IT Security focussed services to customers throughout the UK, Ireland and internationally.

Atakama

Atakama

With Atakama, data remains encrypted until the very moment it is used, and the ability to decrypt is based on zero trust architecture.

LeadingIT

LeadingIT

Leading IT provides IT support, cloud computing, email support, cybersecurity, networking and firewall services to Chicagoland businesses.

E2E Technologies

E2E Technologies

E2E Technologies are a proactive, SLA-beating, managed service provider that busts the common stereotypes surrounding IT.

Distology

Distology

Distology are an award-winning cloud security distributor bringing a wealth of experience and strong relationships with a huge breadth of partners covering the UK, Ireland and Benelux.

Incyber

Incyber

Incyber is a fully integrated network and cybersecurity solutions provider contracted to safeguard public and private enterprise, high value data and sensitive industries.

Orca Fraud

Orca Fraud

Orca is an AI-driven fraud orchestration platform. We empower fraud fighters to outpace fraud using our custom ML models.

Ryan Financial Lines

Ryan Financial Lines

Ryan Financial Lines Cyber provides risk transfer solutions for complex cyber and technology exposures, globally.